
spec:
  items:
    - match:
        kinds:
          - apiGroups:
              - .*
            kinds:
              - RoleBinding
        namespaces:
          - kblt-inspector-dev
        operations:
          - CREATE
      name: roles-validation-policy
      rule:
        rego:
          parameters: |-
            affectedServiceAccounts:
              - ".*"
            allowedNamespaces:
              - kblt-inspector-dev
            serviceAccounts:
              - name: default
                roles:
                  - pod-reader
          template: kblt-inspector-dev/rego-rolebinding
  type: validation
